You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Edward Bosco <eb...@prologic-inc.com> on 2006/04/07 15:36:30 UTC
HowTo for LDAP authentication combined with per-file authorization on files / directories within a svn repository ?
I want to control what files are downloaded to a subversion repository
client by the user name and which group a file is associated with. All
the various files are in a common repository. The files should be
associated with groups of LDAP-listed users.
All valid users are permitted access to the repository, but not all
valid users should see all files.
==
An example would be:
User billg is a member of group developers in LDAP Active Directory.
File doitnow.exe is a member of the developer group and resides at
\core\bin.
File doitlater.exe is a member of the tools group and also resides at
\core\bin within the repository.
On a subversion checkout or update, user billg should only download the
doitnow.exe to his working copy directory on the client machine. File
doitlater.exe should not be present in his working copy.
==
The subversion server runs Debian Sarge with Apache 2.0.55 and SVN
1.3.0; it hosts a subversion repository at
/var/repos/repositories/testrepo.
Modules mod_ldap.so, mod_auth_ldap.so, mod_dav_svn.so and
mod_authz_svn.so are loaded within the /etc/apache2/mods-enabled
directory.
Currently can performing authentication via LDAP using an Active
Directory LDAP source. I'm trying to perform file level authorization
via an arbitrary groups or user list of the various users listed in LDAP
or some replicated file.
==
If I attempt webspace controls of <Location> or <Files> to the virtual
filesystem presented by the svn repository, I obtain a '403', Forbidden,
error.
If I use LDAP authentication on a valid user id, and use the
/etc/apache2/mod-enabled/dav_svn.conf file and
/etc/apache2/dav_svn.authz, I get access to the whole repository, and
the dav_svn.conf or .authz files have no effect on controlling the
access to particular files.
To make it work I have to block out LDAP and use a htpasswd2 generated
password list. I have to list the files within the
/etc/apache2/dav_svn.authz file.
I'd like to have the 'and' of [LDAP authentication OK] + [File
name:group1] to allow access to a file such that we download to a client
only those permitted files.
==
Anybody do anything close to this?
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: HowTo for LDAP authentication combined with per-file authorization
on files / directories within a svn repository ?
Posted by Jared Hardy <jh...@highimpactgames.com>.
I must admit I'm not using any per-directory or per-file authentication
via mod_authz_svn. I just wanted to comment that I had a lot of trouble
getting mod_auth_ldap authentication to work for my uses, with the SuSE
Linus ES 9 native OpenLDAP authentication database. What I ended up
doing is changing the pam settings in /etc/pam.d/httpd like this:
auth required pam_ldap.so
account required pam_ldap.so
After I completed that step "AuthType Basic" worked with my Apache
2.0.49 installation. This is my apache configuration for the Subversion
share now:
<IfModule mod_dav_svn.c>
<Location /svn>
DAV svn
SVNParentPath /path/to/repos/
#SVNAutoversioning on
#Using mod_auth_pam, which is in turn using pam_ldap
AuthType Basic
AuthName "Subversion Repository"
require valid-user
require group SVNusers
</Location>
</IfModule>
I wanted to tell you this, in case your <Location> and <Files> attempts
at webspace controls on the virtual filesystem might work more
consistently with this setup, rather than just using auth_ldap. Let me
know if you try this and succeed -- I am dreading the possibility of
needing per-directory controls at a future point in my project, and your
success would be reassuring. :)
Thanks,
Jared
Edward Bosco wrote:
> I want to control what files are downloaded to a subversion repository
> client by the user name and which group a file is associated with. All
> the various files are in a common repository. The files should be
> associated with groups of LDAP-listed users.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org